[asterisk-bugs] [JIRA] (ASTERISK-24575) [patch]Make capath work for res_pjsip

Mark Michelson (JIRA) noreply at issues.asterisk.org
Thu Dec 4 16:27:29 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223889#comment-223889 ] 

Mark Michelson commented on ASTERISK-24575:
-------------------------------------------

I had a look at the Asterisk code review on reviewboard. Aside from what opticron mentioned about alembic scripts, it looks good to me.

The PJSIP code has potential problems though:

{code}
-    PJ_ASSERT_RETURN(pool && CA_file && cert_file && privkey_file, PJ_EINVAL);
+    PJ_ASSERT_RETURN(pool && CA_file && CA_path && cert_file && privkey_file, PJ_EINVAL);
{code}

>From what I understand about CA_file and CA_path, only one needs to be provided. This code will assert if one of CA_file or CA_path is NULL. From Asterisk, this won't ever happen, since AST_STRING_FIELDs can never be NULL. But if this is being added and to be used by other projects, this would need to be altered to allow for one of CA_file or CA_path to be NULL. Similarly, the subsequent {{pj_strdup_with_null()}} calls for CA_file and CA_path in this function would need to be made NULL-tolerant.

Also, I don't know how OpenSSL handles calls to SSL_CTX_load_verify_locations() when it is given empty strings for the CAfile or CApath parameters. https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html mentions what happens when NULL parameters are passed in, but it doesn't mention what happens when an empty string is passed in. If behavior is the same as for a NULL pointer, that's fine, but I just want to make sure we're not setting up a situation where we cause breakage because we end up passing an empty string instead of a NULL pointer into the function.

> [patch]Make capath work for res_pjsip
> -------------------------------------
>
>                 Key: ASTERISK-24575
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24575
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: pjproject/pjsip, Resources/res_pjsip
>    Affects Versions: SVN, 12.7.1, 13.0.1
>            Reporter: cloos
>         Attachments: pj-ca-path-12.diff, pj-ca-path-trunk.diff, pjproject-ca-path.diff
>
>
> Every component which does tls supports capaths in addition to cafiles, except pjsip.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list